topic Re: SAML Entra ID/Azure VPN authentication - only external users getting "Matching client config not found" error in GlobalProtect Discussions

SAML Entra ID/Azure VPN authentication - only external users getting "Matching client config not found" error

Wimazal — Wed, 09 Oct 2024 13:10:40 GMT

Hey,

I have a really strange issue and I don't know how to solve it. We created and authentication profile and mapped it to our portal. Users from our domain lets call it ourcompanydomain, are able to connect with GlobalProtect-VPN (which opens M365 Loginpage) without any issues. But when external users are doing the same, they get "Matching client config not found" error. By the way Conditional Access settings in Entra ID are working as they should according to Sign in Logs and they accepted the invitation to our tenant as external guests.

I looked upon the Monitoring Logs for GlobalProtect and I saw that external users (their source user) show up as john.lennon#EXT#@ourcompanydomain.onmicrosoft.com, but our internal users show up as ringo.star@ourcompanydomain.com . This is because in Entra ID the UPN name has a different format for external users. Therefore I changed the Claims in Entra ID (Attributes & Claims) to send user.mail instead of the UPN name to the firewall (both for username and Name ID claims).

Now when an external user is trying to connect the correct mailadress/source user, is shown in monitoring in the correct format. But the "matching client config not found" error still shows up and I don't know why. In the gateway's client settings the user is added to the source user list and it's exactly the same as the the source user in monitoring.

If I set the gateway to allow any user in the gateway's client settings, connection is established without any problems so it definitely is some kind some usermatching of matching error.

I already deleted c:\users\username\AppData\Local\Palo Alto Networks\GlobalProtect .dat files as some websites suggest, but it doesn't help.

Re: SAML Entra ID/Azure VPN authentication - only external users getting "Matching client config not found" error

Wimazal — Thu, 10 Oct 2024 07:28:16 GMT

SOLUTION FOUND

It's a Palo Alto interpretation problem, because the FW is not able to interpret @ symbols from external Entra Users (user.mail) and match them with users in Gateways's Client settings (for whatever reason) even though the source user (mail-address) is exactly the same in monitoring and gateway setting.

Solution:

Entra > Enterprise Applications > Palo Alto Networks > Single sign on > Edit Attributes & Claims > set unique user identifier (name id) to user.mail and username output must be transformed > source > transformation > RegexReplace > Attribute name usermail > Regex pattern = @[\w.-]+ > Replacement pattern = _entra > Add > Save.

Replace "@domain.xy with _entra for each user in the Gateway's client settings.

Re: SAML Entra ID/Azure VPN authentication - only external users getting "Matching client config not found" error

din100 — Thu, 10 Oct 2024 08:59:10 GMT

so how I fixed this issue by inviting the external users guest in our Entra ID and allowing access to the VPN that way. not sure that will work for you or not